We’ve all been there- you go to log into a website and realize that you just can’t remember your password. And it’s not like you can easily guess it, because your probably used a strong password rather than something insecure like your dog’s name (right?). So you click that little link that says “forgot password” and start the process of getting back into your account.
The website developers made a choice at that point, and it affects your security. They might send a password reset link to your email address and let you reset it there. Hopefully they don’t send you your current password in the email itself, that just means they’re not protecting it right. It’s a bit better if they send you a temporary password that expires after a set period of time. But in many cases, they’ll prompt you to reset your password by verifying your identity and answering password recovery questions.
In the early days of social media, there was a game making the rounds. It said that your “adult entertainer” name was your first pet’s name and the street you grew up on. If I had played it, I would have been Alex Sunset, which honestly has a nice ring to it (I’ll explain in a bit why I don’t mind telling you that). But do those pieces sound familiar? “Pet’s name” and “Street you grew up on” were at the time (and in too many cases, still are) some of the most popular password recovery questions. By giving hackers and identity thieves that information, you’ve already made their job a lot easier.
Fast forward to today, we’re living in the information age. Back in the 1800s when telegraph banking became a thing, most people didn’t know another person’s mother’s maiden name unless they were a part of the family or at least from the area. So when they came up with security standards, it seemed like a good question to ask someone who was asking for their money to be transferred to a different area. Yes, “mother’s maiden name” as a security question is really that old. But today, websites collect that information for you and make it very easy to find. The other answers might be found on your facebook page or other “people search” websites.
Fortunately, many websites have realized this and changed up their questions to ones that can’t be easily found. They’re more opinions and personality traits than searchable facts, things like “what’s your favorite vacation spot” or “who was your favorite teacher in high school?” Sure, someone following you on social media might also know the answers to those questions, but the idea is that only you would know all of them. Well, maybe you and someone who lives in your home or grew up with you. That’s the biggest flaw in even these “second generation” security questions- they assume that only you would know about your memories and opinions, and that’s clearly not always the case.
There’s no delicate way to put this, so I’ll just say it: it’s okay to lie. Or maybe I’ll put it another way- it’s perfectly fine to use answers that you’d remember but someone else might not think to use. If your favorite vacation spot is New York City, make a habit of naming your LEAST favorite vacation spot instead. Instead of naming your favorite food, name your favorite drink. Be consistent, be unpredictable, be secure. There’s another benefit to doing it this way- most sites will alert you if someone tries to reset your password. You get an alert but your password remains intact.
So feel free to use my first pet’s name and the street I grew up on to reset my passwords, because I don’t.
(Just want to mention, another option is to use a password manager to store your very secure passwords. That’s another topic on its own, but if you’re going to use one make sure you’re able to protect the primary password, since it controls access to the rest of them!)